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Amendments to the Claims: 

This listing of claims will replace all prior versions and listings of claims in the 

application. 
Listing of Claims: 

Originally patented claims 1-30 are amended as follows: 

1. (ORIGINAL) A method for managing network access to a data communications 

network, said method comprising: 
maintaining a central database; 

maintaining at least one authentication, authorization and accounting (AAA) service at a point of 
presence (PoP) of the data communications network; and 

configuring a database associated with the AAA service from the central database, wherein said 
configuring includes publishing information from said central database on an information bus as 
at least one event, said AAA service subscribing to said event so as to receive said published 
information so as to thereby update its associated database. 

2. (ORIGINAL) A method in accordance with claim 1 , further comprising: 

receiving at a protocol gateway in the PoP a network access request from a user through a 
network access server (NAS); 

parsing the network access request for an identification of the user's domain; 
routing the network access request to the AAA service at the PoP if the user's domain 
corresponds to that of the PoP; 
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looking up a domain identification entry corresponding to the user's domain in the AAA service's 
database if the user's domain does not correspond to that of the PoP; 

proxying the network access request to an AAA service in the user's domain at an address and 
port as specified in the domain identification entry of the database if the user's domain does not 
correspond to that of the PoP. 

3. (ORIGINAL) A method in accordance with claim 2, further comprising: 
obtaining an IP address for the user from the AAA service in the user's domain if the user's 
domain does not correspond to that of the PoP. 

4. (CURRENTLY AMENDED) A method in accordance with claim 2, further 
comprising: 

assigning an IP address to the user from a local DHCP pool of IP [address] addresses if the 
user's domain does not correspond to that of the PoP. 

5. (ORIGINAL) A method in accordance with claim 2, further comprising: 
assigning an IP address to the user from an IP address pool identified in an access-accept packet 
received from the user's domain's AAA service if the user's domain does not correspond to that 
of the PoP. 

6. (ORIGINAL) A method for managing network access to a data communications 
network, said method comprising: 

maintaining a central database; 
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maintaining a plurality of authentication, authorization and accounting (AAA) services at a point 
of presence (PoP) of the data communication network; and 

configuring databases associated with the AAA services from the central database, wherein said 
configuring includes publishing information from said central database on an information bus as 
at least one event, said AAA services subscribing to said event so as to receive said published 
information so as to thereby update their associated databases. 

7. (ORIGINAL) A method in accordance with claim 6, further comprising: 

receiving at a protocol gateway in the PoP a network access request from a user through a 
network access server (NAS); 

parsing the network access request for an identification of the user's domain; 

routing the network access request to one of said plurality of AAA services at the PoP if the 

user's domain corresponds to that of the PoP while load balancing among said plurality of AAA 

services; 

looking up a domain identification entry corresponding to the user's domain in one of said 
plurality of AAA service's databases if the user's domain does not correspond to that of the PoP; 
proxying the network access request to an AAA service in the user's domain a. an address and 
port as specified in the domain identification entry of the database if the user's domain does not 
correspond to that of the PoP. 

8. (ORIGINAL) A method in accordance with claim 7, further comprising: 

obtaining an IP address for the user from the AAA service in the user's domain if the user's 
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domain does not correspond to that of the PoP. 



9. (CURRENTLY AMENDED) A method in accordance with claim 7, further 
comprising: 

assigning an IP address to the user from a local DHCP pool of IP [address] addresses if the 
user's domain does not correspond to that of the PoP. 

10. (ORIGINAL) A method in accordance with claim 7, further comprising: 

assigning an IP address to the user from an IP address pool identified in an access-accept packet 
received from the user's domain's AAA service if the user's domain does not correspond to that 
of the PoP. 

1 1 . (ORIGINAL) A method for managing network access to a data communications 

network, said method comprising: 

maintaining a central database, said central database containing access information for 
authentication, authorization and accounting services associated with domatns of the data 
communications network; 

maintaining a. a point of presence (PoP) of the data communications network at leas, one AAA 
service and a. tat one proxy service and at least one protocol gateway in communicauon with a 
network access server (NAS); 

periodically publishing information contained in said central database; 

subscribing at said AAA and said proxy service to information published from said central 

database; 
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receiving at a protocol gateway in the PoP a network access request from a user through a 
network access server (NAS); 

parsing the network access request at the protocol gateway for an identification of the user's 
domain; 

routing the network access request to an AAA service at the PoP if the user's domain 
corresponds to that of the PoP; 

looking up access information within a domain identification entry corresponding to the user's 
domain in a database associated with the proxy server if the user's domain does not correspond to 
that of the PoP; and 

proxying the network access request to an AAA service in the user's domain at an address and 
port as specified in the access information if the user's domain does not correspond to that of the 
PoP. 

12. (ORIGINAL) A method in accordance with claim 11, further comprising: 
obtaining an IP address for the user from an AAA service in the user's domain if the user's 
domain does not correspond to that of the PoP. 

13. (CURRENTLY AMENDED) A method in accordance with claim 11, further 
comprising: 

assigning an IP address to the user from a local DHCP pool of IP [address] addresses if the 
user's domain does not correspond to that of the PoP. 
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14. (ORIGINAL) A method in accordance with claim 11, further comprising: 

assigning an IP address to the user from an IP address pool identified in an access-accept packet 
received from the user's domain's AAA service if the user's domain does not correspond to that 
of the PoP. 

15. (ORIGINAL) A method of managing network access requests to a data 

communications network, said method comprising: 

receiving at a protocol gateway in a point of presence (PoP) of the data communications network 

a network access request from a user through a network access server (NAS); 

parsing the network access request for an identification of the user's domain; 

routing the network access request to one of the plurality of authentication, authorization and 

accounting (AAA) services associated with the PoP if the user's domain corresponds to that of 

the PoP while load balancing among the plurality of AAA services; 

looking up a domain identification entry corresponding to the user's domain in a database if the 
user's domain does not correspond to that of the PoP; 

proxying the network access request via one of a plurality of proxy services to an AAA service 
in the user's domain at an address and port as specified in the domain identification entry of the 
database if the user's domain does not correspond to that of the PoP while load balancing among 
the plurality of proxy services. 

16. (ORIGINAL) A method in accordance with claim 15, further comprising: 

obtaining an IP address for the user from the AAA service in the user's domain if the user's 
domain does not correspond to that of the PoP. 
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17. (CURRENTLY AMENDED) A method in accordance with claim 15, further 
comprising: 

assigning an IP address to .he user from a local DHCP pool of IP [address] addresses if the 
user's domain does not correspond to that of the PuP. 

18. (ORIGINAL) A method in accordance with claim 15, further comprising: 

assigning an IP address to the user from an IP address poo. identified in an access-accepr packet 
^ved from the user's domain's AAA service if the user's domatn does no. correspond to that 
ofthePoP. 

19. (CURRENTLY AMENDED) A method for managing network access to a data 
communications network, said method comprising: 

maintaining a central database, said central database containing access information for 
authentication, authorization and accounting iAAAJ services associated with domains of the data 
communications network; 

maintaining a, a poin, of presence (PoP) of Ure da,a communicafions ne,work a plurality of AAA 

services at leas, one AAA service and a. leas, one proxy service and a. leas, one ptocol 

gateway in communication with a network access server (NAS); 

periodically publishing information contained in said central database; 

subscribing a. satd AAA and sard proxy service to information pub.ished from said centra. 



database; 



mcetving a. a protocol gateway in .he PoP a network access reoues. from a user tough a 
network access server (NAS); 
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parsing the network access request at the protocol gateway for an identification of the user's 

domain; 

routing the network access request to one of said plurality of AAA services a. the PoP if the 
user's domain corresponds to that of the PoP while load balancing among said plurality of AAA 
services; 

looking up access information within a domain identification entry corresponding to the user's 
domain in a database associated with one of said plurality of proxy services if me user's domain 
does not correspond to that of the PoP while load balancing among said plurality of proxy 
services; and 

proxying the network access request to an AAA service in the user's domain at an addtess and 
port as specified in the access information if the user's domain does not correspond to that of the 
PoP. 

20. (ORIGINAL) A method in accordance with claim 19, further comprising: 
obtaining an IP address for the user from an AAA service in the user's domain if the user's 
domain does not correspond to that of the PoP. 

21. (CURRENTLY AMENDED) A method in accordance with claim 19, further 
comprising: 

assigning an IP address to the user from a local DHCP pool of IP [address] addresses if the 
user's domain does not correspond to that of the PoP. 
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22/ (ORIGINAL) A method in accordance with claim 19, further comprising: 

assigning an IP address to the user from an IP address pool identified in an access-accept packet 
received from the user's domain's AAA service if the user's domain does not correspond to that 
of the PoP. 

23. (ORIGINAL) A method of managing network access requests to a data 

communications network, said method comprising: 

receivingatap^ 

a network access request from a user through a network access server (NAS); 

parsing the network access request for an identification of the user's domain; 

routing the network access request to an authentication, authorization and accounting (AAA) 

service associated with the PoP if the user's domain corresponds to that of the PoP; 

looking up a domain identification entry corresponding to the user's domain in a database if the 

user's domain does not correspond to that of the PoP; 

proxying the network access request to an AAA service in the user's domain at an address and 
port as specified in the domain identification entry of the database if the user's domain does not 
correspond to that of the PoP. 

24. (CURRENTLY AMENDED) A method in accordance with claim [1] 23, further 
comprising: 

obtaining an IP address for the user from me AAA service in me user's domain if me user's 
domain does not correspond to that of the PoP. 
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25. (CURRENTLY AMENDED) A method in accordance with claim [1] 23, further 
comprising: 

assigning an IP address to the user from a local DHCP pool of TP [address] addresses if the 
user's domain does not correspond to that of the PoP. 

26. (CURRENTLY AMENDED) A method in accordance with claim [1] 23, further 
comprising: 

assigns an IP address to the user from an IP address pool identiftedin an access-accept packet 
reived from the user's domain's AAA service if the user's domain does not correspond ,o that 
ofthePoP. 

27. (ORIGINAL) A system for data communications network access management, 

comprising: 

a central database containing information identifying access information for authentication, 
authorization and accounting (AAA) services associated with domains of the data 
communications network; 

a publisher, said publisher publishing information from said central database to subscribers over 
an information bus; 

a point of presence (PoP) on the data communications network, said PoP including a protocol 

gateway in communication with at least one network access server (NAS); 

an AAA service associated with said PoP and in communication with said pretoco. gateway, said 

AAA service subscribing to information published by said publisher; and 

a proxy service associated with the PoP and in communication with said protocol gateway, said 
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proxy service subscribing to information published by said publisher, 
said protocol gateway receiving network access requests from users over the NAS, parsing the 
requests for domain identification and routing the requests for domains other than those 
associated with the PoP to the proxy service, 

said proxy service routing network access requests to AAA services in remote domains in 
accordance with said access information. 



28. (CURRENTLY AMENDED) A system in accordance with claim 27, further 
comprising: an AAA database associated with said AAA service; and a proxy database 
associated with said proxy service, 

said AAA database populated at instantiation of said AAA service by receiving information 
published by said publisher from said central database, 

said proxy database populated at instantiation of said proxy service by receiving information 
published by said publisher from said central database. 

29. (ORIGINAL) A system for data communications network access management, 

comprising: 

a central database containing information identifying access information for authentication, 
authorization and accounting (AAA) services associated with domains of the data 
communications network; 

a publisher, said pubhsher publishing information from said central database to subscribers over 
an information bus; 

a point of presence (PoP) on the data communications network, said PoP including a protocol 
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gateway in communication with at least one network access server (NAS); 

a p.urality of AAA services associated with said PoP and in communication with said protoco. 

gateway, said AAA services subscribing to information published by said publisher, and 

a plurality of proxy services associated with said PoP and in communication with said protoco. 

gateway, said proxy services subscribing to information published by said publisher, 

said protocol gateway receiving network access requests from users over the NAS, parsing the 

quests for domatn identification and routing the requests for domains Cher than those 

associated with the PoP to one of satd plurahty of proxy servtces while load balancing among 

them, 

said proxy service routing network access requests to AAA services in remote domains in 
accordance with said access information. 

30. (CURRENTLY AMENDED) A system in accordance with claim 29, further 
comprising: 

a plurality of AAA databases associated with said respective AAA services; and 

a plurality of proxy databases associated with said respective proxy services, 

said AAA databases populated at instantiation of said respective AAA services by receiving 

information published by said publisher from said central database, 

said proxy databases populated at instantiation of said respective proxy services by receiving 

information published by said publisher from said central database. 

31. (NEW) A method for managing network access to a data communications 
network, said method comprising: 



15 of 46 



Docket No.: CISCO-8363 
EV3 10857683US (REISSUE OF CISCO-0737) 

maintaining a central database coupled to the data communications network; 
maintaining at least a first authentication, authorization and accounting (AAA) service at a first 
point of presence (PoP) of the data communications network and a second AAA service at a 
second PoP of the data communications network; 

configunng a database associated with the firs. AAA service from the central database by 
transporting information front the central database over the data communications network to the 
database associated with the first AAA service; and 

configunng a database associated with the second AAA service from the central database by 
transporting information from the central database over .he data communications network to the 
database associated with the second AAA service. 

32. (NEW) The method of claim 31, further comprising: 
periodically updating the database associated with the first AAA service from the central 
database by transporting information from the central database over the data communications 
network to the database associated with the first AAA service. 

33. (NEW) The method of claim 32, further comprising: 
periodically updating the database associated with the second AAA service from the central 
database by transporting information from the central database over the data communications 
network to the database associated with the second AAA service. 

34. (NEW) The method of claim 31, further comprising: 

receiving at a protocol gateway in the first PoP a network access request from a user through a 
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network access server (NAS); 

parsing the network access request for an identification of the user's domain; 

routing the network access request to the firs. AAA service at the first PoP if .he use* domain 

corresponds to that of the first PoP; 

looking up a domain identification entry corresponding to the user's domain in the first AAA 
service's database if the user's domain does not correspond to that of the first PoP; 
proving the network access request to an AAA service in the user's domain a. an address and 
port as specified in the domain identification entry of the database if the user's domain does no. 
correspond to that of the first PoP. 

35. (NEW) The method of claim 34, further comprising: 

obtaining an IP address for the user from the AAA service in the user's domain if the user's 
domain does not correspond to that of the first PoP. 

36. (NEW) The method of claim 34, further comprising: 

assigning IP address to the user from a local DHCP pool of IP addresses if the user's domain 
does not correspond to ma. of the first PoP. 

37. (NEW) The method of claim 34, further comprising: 

assigning an IP address to .he user from an IP address pool identified in an access-accep. packe, 
received from .he user's domain's AAA service if .he use* domain does no, correspond to that 
of the first PoP. 
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38. (NEW) A method for managing network access to a data communications 

network, said method comprising: 

maintaining a central database coupled to the data communications network; 
maintaining a plurality of first authentication, authorization and accounting (AAA) services at a 
first point of presence (PoP) of the data communications network and a second AAA service at a 
second PoP of the data communications network; 

configuring one or more databases associated with the first AAA services from the central 
database by transporting information from the centra, database over the data communications 
network to the database(s) associated with the first AAA services; and 
configuring a database associated with the second AAA service from the central database by 
transporting information from the central database over the data communications network to the 
database associated with the second AAA service. 

39. (NEW) The method of claim 38, further comprising: 

receiving at a protocol gateway in the first PoP a network access request from a user through a 
network access server (NAS); 

parsing the network access request for an identification of the user's domain; 
muting the network access request to one of said plurality of firs, AAA services a, the first PoP if 
the user's domain corresponds to that of the firs. PoP while load balancing among said plurality 
of first AAA services; 

looking up a domain identification entry corresponding to the user's domain in one of said 
ptarality of first AAA service's database(s) if the user's domain does no, correspond ,o mat of to 
first PoP; 
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proxying me network access request to an AAA service in the user's domain at an address and 
port as specified in the domain identification entry of the database if the user's domain does not 
correspond to that of the first PoP. 



40. (NEW) The method of claim 39, further comprising: 

obtaining an IP address for the user from the AAA service in the user's domain if the user's 

domain does not correspond to that of the first PoP. 

41 (NEW) The method of claim 39, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP addresses if the user's domain 
does not correspond to that of the first PoP. 

42. (NEW) The method of claim 39, further comprising: 

assigning an IP address to the user from an IP address pool identified in an access-accept packet 
reived torn me user's domain's AAA service if the user's domain does no. correspond to that 
of the first PoP. 

43. (NEW) A method for managing network access to a data communications 
network, said method comprising: 

maintaining a central database coupled to the data communications network, said central 
database containing access information for authentication, authorization and accounting (AAA) 
services associated with domains of the data communications network; 
maintaining a. a firs, point of presence (PoP) of the data communications network a, leas, one 
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firs, AAA semce and at leas, one firs, proxy service and a. least one firs. pro.ocol ga.eway in 
communication with a network access server (NAS); 

periodica.!, unsporting informafion contained in .he cental da.abase from me cen,ral da,abase, 
over .he data communications network, .0 .he firs. AAA service(s), the firs, proxy service(s) and 
the first protocol gateway(s); 

receiving a, a protocol gateway in the firs, PoP a network access reques, from a nser through a 
network access server (NAS); 

parsing ,he network access request a, me firs, pro,ocol ga,eway for an identification of .he user's 
domain; 

routing me ncwork access request «o an AAA service a. .he firs. PoP if me user's domain 
corresponds to that of the first PoP; 

looking up access infomtation within a domain identification entiy corresponding ,0 me user's 
domain in a da.abase associated with me firs, proxy server if me user's domain does no, 
coirespond to thai of the first PoP; and 

paying me ncwork access re ques, ,0 an AAA service in me user's domain a, an address and 
port as specified in the access information if me user's domain does no, correspond ,0 tha, of me 
first PoP. 

44. (NEW) The method of claim 43, further comprising: 

obtaining an IP address for the user from an AAA service in the user's domain if the user's 

domain does not correspond to that of the first PoP. 
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45. (NEW) The method of claim 43, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP addresses if the user's domain 
does not correspond to that of the first PoP. 

46. (NEW) The method of claim 43, further comprising: 

assigning an IP address to the user from an IP address pool identified in an access-accept packet 
received from the user's domain's AAA service if the user's domain does no. correspond to that 
of the first PoP. 

47. (NEW) A method for managing network access requests to a data communications 
network, said method comprising: 

receiving at a protocol gateway in a first point of presence (PoP) of the data communications 

network a network access request from a user received through a network access server (NAS); 

parsing the network access request for an identification of the user's domain; 

routing the network access request to one of the plurality of authentication, authorization and 

accounting (AAA) services associated with tire firs. PoP if the user's domain corresponds to .ha. 

of the first PoP while load balancing among the plurality of AAA services; 

looking up a domain identification entry corresponding to the user's domain in a da<abase 

associated wi«h the one AAA if tine user's domain does no. correspond to tha, of the first PoP; 

proxying the network access request via one of a plurality of proxy services to an AAA service 

to (he user's domain a, an address and port as specified in the domain identification entry of .he 

database if the user's domain does no. correspond ,o mat of the firs. PoP while load baiancing 
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among the plurality of proxy services. 

48. (NEW) The method of claim 47, further comprising: 

obtaining an IP address for the user from the AAA service in the user's domain if the user's 
domain does not correspond to that of the first PoP. 

49. (NEW) The method of claim 47, further comprising: 

assigning an IP address to the user from a local DHCP pool of IP addresses if the user's domain 
does not correspond to that of the first PoP. 

50. (NEW) The method of claim 47, further comprising: 

assigning an IP address to the user from an IP address pool identified in an access-accept packet 
received from the user's domain's AAA service if the user's domain does not coreespond to mat 
of the first PoP. 

51. (NEW) A method for managing network access to a data communications 
network, said method comprising: 

maintaining a central database, said central database containing access information for 
authentication, authorization and accounting services associated wirh domains of the data 
communications network; 

mainraining at a first point of presence (PoP) of the data communications network a plurality of 
AAA servicea a, leas, one AAA service and a, leas, one proxy service and a, leas, one pretoeo. 
gateway in communication with a network access server (NAS); 
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periodically transmitting information contained in said central database over the data 
communications network to said AAA and said proxy service; 

receiving at a protocol gateway in the PoP a network access request from a user through a 
network access server (NAS); 

parsing the network access request at the protocol gateway for an identification of the user's 
domain; 

routing the network access request to one of said p.uralily of AAA services a. the firs, PoP if tine 
user's domain corresponds to that of the firs, PoP white load ba.anc.ng among said plurality of 
AAA services; 

tooking up access information within a domain identification entry co-responding ,o tine user's 
domain in a da,abase associated with one of said plurality of proxy services if the user's domain 
does no, cotrespond to tha, of me firs, PoP while load balancing among said plurality of proxy 
services; and 

proxymg me network access request ,o an AAA service in the user's domain a, an address and 
por, as specified in ,he access information if me user's domain does no, conespond ,o ma, of me 
first PoP. 

52. (NEW) The method of claim 51, further comprising: 

obtaining an IP address for the user from an AAA service in the user's domain if the user's 
domain does not correspond to that of the first PoP. 

53. (NEW) The method of claim 51, further comprising: 

assigning an IP address ,o tire user from a local DHCP poo, of IP addresses if tine user's domain 
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does not correspond to that of the first PoP. 



54. (NEW) The method of claim 51, further comprising: 

assigning an IP address to the user from an IP address pool identified in an access-accept packet 
received from the user's domain's AAA service if the user's domain does not correspond 



of the first PoP. 



A method for managing network access requests to a data communications 



55. (NEW) 
network, said method comprising: 

periodically transmitting updating information contained in a central database over the data 
eommunications network to an authentication, authorization and accounting (AAA) service 
associated with a first point of presence (PoP) of the data communications network; 
receiving ar a protoco, gareway in the firs, poin, of presence (PoP) of the data communications 
network a network access request from a user received through a nerwork access server (NAS); 
parsing the network access request for an identification of the user's domain; 
roofing the network access request ro the AAA service associated with the firs, PoP if the user's 
domain corresponds to that of the first PoP; 

,„„king up a domain identification entry corresponding to the user's domain in a database if the 
user's domain does not correspond to that of the first PoP; 

proxying .he network access request to an AAA service in the user's domain a. an address and 
porr as specified in .he domain rdenfifieafion entry of the database if .he user's domain does nor 
correspond to that of the first PoP. 
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56. (NEW) The method of claim 55, further comprising: 

obtaining an IP address for the user from the AAA service in the user's domain if the user's 
domain does not correspond to that of the first PoP. 

57. (NEW) The method of claim 55, further comprising: 
assigning an IP address to the user from a local DHCP pool of IP 

does not correspond ro that of the first PoP. 

58. (NEW) The method of claim 55, further comprising: 

assigning an IP address to .he user from an IP address pool identified in an access-accept packet 
^ived from the user's domain's AAA service if the user's domain does no, correspond to .hat 
of the first PoP. 

59. (NEW) A system for data communications network access management, 
comprising: 

a centra, database containtng information identifying access information for authentication, 
authorization and accounting (AAA) services associated with domains of .he data 
communications network; 

a firs, poin, of presence (PoP) on the data communications network, s*d firs, PoP tnc.uding a 
protocol gateway in communication with a. least one network access server (NAS); 
an AAA service associated with said firs. PoP and in communication with said ptotixo. gateway 
and the data communications network; 
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a proxy service associated with the first PoP and in communication with said protocol gateway 
and the data communications network, 

a transmitter, said transmitter transmitting tnformation from said central database to said AAA 
service a. said first PoP and said proxy service a, sard firs. PoP over me data communications 
network; 

said protoco. gaieway receiving network access requests from users over the NAS, pacing .he 
requests for domain identification and routing the requests for domains other than those 
associated with the first PoP to the proxy service, 

said proxy service routing network access requests » AAA services in remote domains in 
accordance with said access information. 

60. (NEW) The system of claim 59, further comprising: 

an AAA database associated with said AAA service at said first PoP; 

a proxy database associated with said proxy service at said first PoP, 

said AAA database populated at instantiation of said AAA service by receiving information 

transmitted by said transmitter from said central database, 

said proxydatabase populated at instantiation of said proxy service by receiving information 
transmitted by said transmitter from said database. 

61. (NEW) A system for data communications network access management, 
comprising: 

acentraf database containing tnformation identifying access tnformation for authentication, 
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authorization and accounting (AAA) services associated with domains of the data 
communications network; 

a first point of presence (PoP) on the data communications network, said first PoP inc.uding a 

protocol gateway in communication with at least one network access server (HAS); 

a pluraliry of AAA services associated with said firs. PoP and in communication with said 

protocol gateway, said AAA services subscribing to information published by said publisher; 

a pluratity of proxy services associated with said first PoP and in communication with said 

protoco, gateway, said proxy services subscribing to information published by said publisher; 

and 

a transmitter, said transmitter transmitting information from said central database over the data 
communications network to said pluratity of AAA services associated with said firs. PoP and ,o 
said plurality of proxy services associated with said first PoP, 

said protoco! gateway recetving network access requests from users over the NAS, parsing the 
requests for domain identification and routing the requests for domains other man those 
associated with the first PoP to one of satd pluratity of proxy services while foad balancing 
among them, 

said proxy service routing network access requests to AAA services in remote domains in 
accordance with said access information. 

62. (NEW) The system of claim 61, further comprising; 

a plurality of AAA databases associated with said respective AAA services a, said firs, PoP; and 
a plurality of proxy databases associated with said respective proxy services at said firs. PoP, 
said AAA databases populated at instantiation of said respective AAA services by receiving 
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information transmitted by said transmitter from said central database, 

said proxy databases populated at instantiation of said respective proxy services by receiving 

information transmitted by said transmitter from said central database. 

63. (NEW) A system for managing access to a data communications network, said 
system comprising: 

means for communicating with a centra, database via the data communications network, the 
central database containing information identifying access information for authentication, 
authorization and accounting (AAA) services associated with domains of the data 
communications network; 

means for communicating with a local AAA service associated with a local Point of Presence 
(PoP); 

means for communicating with a remote AAA service via a local proxy service; 
means 



, for instantiating the local AAA service from the central database; 



means for receiving a network access request from a user through a local network access server 
(NAS); 

means for checking the network access request to determine an identification of the user's 
domain; 

means for routing the network access request to the local AAA service if the user's domain 
corresponds to that of the local PoP; 

means for looking up a domain identification entry corresponding to the user's domain in the 
local AAA service's database if the user's domain doea not correspond to that of the local PoP; 
and 
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means for proxying the network access reoues, to a remote AAA service in the user's domain a, 
an address and port as specified in the domain identification entry of the database if .he user's 
domain does not correspond to that of the local PoP. 

64. (NEW) A system for managing access to a data communications network, said 
system comprising: 

means for communicating with a central database via the data communications network, the 
central debase containing information identifying access information for authentication, 
authorization and accounting (AAA) services associated with domains of the data 
communications network; 

means for communicating with a plurality of local AAA services associated with a local Point of 
Presence (PoP); 

means for communicating*^^ 

means for communicating with a remote AAA service via a local proxy service; 
; for instantiating the local AAA services from the central database; 
, for instantiating the local proxy services from the central database; 
means for receiving a network access request from a user through a local network access server 

(NAS); 

means for checking the network access reques. to determine an identification of the user's 
domain; 

means for routing the network access request to the tea. AAA service if me user's domain 
corresponds to that of the local PoP; 

means for looking up a domam identification entry corresponding .o me user's domain wi.h .he 



means 
means : 
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tad AAA services if the user's domain does not correspond to that of me local PoP; 

means for proxying .he network access request ,„ a remore AAA service in the user's domain a. 

an address and port as specified in the domain identification entry of the local AAA services' 

database if the user's domain does not correspond to that of the local PoP; and 

means for receiving network access requests from users over a network access server (NAS), 

parsing the requests for domain identification and routing the mquesrs for domains other than 

those associated with the firs, PoP to one of said plurality of proxy services while load balancing 

among them, 

said proxy service routing network access requests to the remore AAA service in accordance 
with said access information. 

65. (NEW) A method for accounting for use of a data communications network, said 
method comprising: 

means for communing with a central database via the data communications uetwork, me 
centm, database containing information identifying access information for authentication, 
authorization and accounttng (AAA) services associated with domains of the data 
communications network; 

means for commumcaring with at leas, one .ocal AAA service assoclared wim a local Poin, of 
Presence (PoP); 

means for communicating with a remote AAA service; 

means for instantiating the local AAA services from the central database; 

means for reccvmg a network access request from a user through a local network access server 

(NAS); 
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means for checking the network access request to determine an identification of the user's 

domain; 

means for routing accounting information associated with the user to the local AAA service if 
the user's domain corresponds to that of the local PoP; 

means for looking up a domain identification entry corresponding to the user's domain with the 
local AAA services if the user's domain does not correspond to that of the local PoP; 
means for routing the accounting information to a remote AAA service in the user's domain at an 
address and port as specified in the domain identification entry of the local AAA services- 
database if the user's domain does not correspond to that of the local PoP. 

66. (NEW) A method for managing network access accounting in a data 

communications network, said method comprising: 

maintaining a central database coupled to the data communications network; 

maintaining at least a local authentication, authorization and accounting (AAA) service at a local 

point of presence (PoP) of the data communications network; 

configuring a database associated with the local AAA service from the central database by 
transporting information from the central database over the data communications network to the 
database associated with the local AAA service; 

receiving accounting information from a network access server (NAS) responsive to utilization 
of the data communications network by a user coupled to the data communications network 
through the NAS; 

forwarding said accounting information to the local AAA service if the user's domain 
corresponds to that of the local PoP; and 
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forwarding said accounting information to a remote AAA service in the user's domain at an 
address and port as specified in the domain identification entry of the local AAA service's 
database if the user's domain does not correspond to that of the local PoP. 

67. (NEW) An apparatus for managing network access accounting in a data 
communications network, said apparatus comprising: 

means for maintaining a central database coupled to the data communications network; 
means for maintaining at least a local authentication, authorization and accounting (AAA) 
service at a local point of presence (PoP) of the data communications network; 
means for configuring a database associated with the local AAA service from the central 
database by transporting information from the central database over the data communications 
network to the database associated with the local AAA service; 

means for receiving accounting information from a network access server (NAS) responsive to 
utilization of the data communications network by a user coupled to the data communications 
network through the NAS; 

means for forwarding said accounting information to the local AAA service if the user's domain 
corresponds to that of the local PoP; and 

means for forwarding said accounting information to a remote AAA service in the user's domain 
at an address and port as specified in the domain identification entry of the local AAA service's 
database if the user's domain does not correspond to that of the local PoP. 

68. (NEW) A system for managing network access to a data communications network, 
said method comprising: 
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a central database coupled to the data communications network; 

at least a first authentication, authorization and accounting (AAA) service at a first point of 
presence (PoP) of the data communications network and a second AAA service at a second PoP 
of the data communications network; and 

a database configurer configuring a database associated with the first AAA service from the 
central database by transporting information from the central database over the data 
communications network to the database associated with the first AAA service and configuring a 
database associated with the second AAA service from the central database by transporting 
information from the central database over the data communications network to the database 
associated with the second AAA service. 

69. (NEW) An apparatus for managing network access to a data communications 
network, said method comprising: 

means for maintaining a central database coupled to the data communications network; 
means for maintaining at least a first authentication, authorization and accounting (AAA) service 
at a first point of presence (PoP) of the data communications network and a second AAA service 
at a second PoP of the data communications network; 

means for configuring a database associated with the first AAA service from the central database 
by transporting information from the central database over the data communications network to 
the database associated with the first AAA service; and 

means for configuring a database associated with the second AAA service from the central 
database by transporting information from the central database over the data communications 
network to the database associated with the second AAA service. 
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70. (NEW) A system for managing network access to a data communications network, 
said method comprising: 

a central database coupled to the data communications network; 

a plurality of first authentication, authorization and accounting (AAA) services disposed at a 
first point of presence (PoP) of the data communications network and a second AAA service 
disposed at a second PoP of the data communications network; 

a first database configurer configuring one or more databases associated with the first AAA 
services from the central database by transporting information from the central database over the 
data communications network to the database(s) associated with the first AAA services; and 
a second database configurer configuring a database associated with the second AAA service 
from the central database by transporting information from the central database over the data 
communications network to the database associated with the second AAA service. 

71. (NEW) An apparatus for managing network access to a data communications 
network, said method comprising: 

means for maintaining a central database coupled to .he data communications network; 
means for maintaining a plurality of first authentication, authorization and accounting (AAA) 
service at a first point of ptesence (PoP) of the data communications network and a second AAA 
service at a second PoP of the data communications network; and 

means for configuring one or more databases associated with the first AAA services from the 
central database by transporting information from the central database over the data 
communications nerwork .0 the database(s) associated with the firs. AAA services; and 
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means for configuring a database associated with the second AAA service from the centra, 
database by transporting information from the centra, database over the data communications 
network to the database associated with the second AAA service. 

72 . (NEW) . A system for managing network access to a data communications network, 
said method comprising-. 

a centra, database coupled to the data communications network; 

a phrrahty of first au.henbca.ion, aumorizadon and accounting (AAA) services disposed at a 
firs, point of presence (PoP) of the data communications network and a second AAA service 
disposed at a second PoP of the data communications network; and 

a da,abase configurer configuring one or more databases associated with the first AAA services 
torn the centra, database by transporting information from the centra, database over the data 
commun.ca.ions network to the database*) associated with the first AAA services and 
configuring a database associated with the second AAA service from the centra, database by 
transporting information from the centra, database over the data communications network to the 
database associated with the second AAA service. 



73. (NEW) 



An apparatus for managing network access to a data communications 



network, said method comprising: 

m ea„s for maintaining a cenrra, database conp.ed to the data communications network; 
m eans for maintaining a p.urahty of firs, authentication, authorization and accounting (AAA) 
service a, a first point of prince (PoP) of the data communications network and a second AAA 
service at a second PoP of the data communications network; and 
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means for configuring one or more databases associated with the first AAA services from the 
central database by transporting information from the central database over the data 
communications network to the database(s) associated with the first AAA services and for 
configuring a database associated with the second AAA service from the central database by 
transporting information from the central database over the data communications network to the 
database associated with the second AAA service. 
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